b"The FDIC\xe2\x80\x99s Implementation of Its Information Security Strategic Plan\n\n(Audit Report No. 03-031, July 18, 2003)\n\n\nSummary\n\nThe Federal Deposit Insurance Corporation's (FDIC) Office of Inspector General (OIG) has\ncompleted an audit of the FDIC\xe2\x80\x99s information security strategic plan. The objective of our\nreview was to evaluate the adequacy of the FDIC\xe2\x80\x99s implementation activities for protecting its\ncritical cyber-based infrastructure. To accomplish our objectives, we reviewed the: adequacy of\nthe FDIC\xe2\x80\x99s Information Security Strategic Plan and Tactical Plan, documentation supporting\nimplementation of the Tactical Plan, relevant guidance for the preparation and implementation of\nan information security program, and prior plans and studies prepared by the FDIC relating to its\ninformation security program. Additionally, we interviewed selected FDIC officials responsible\nfor developing and implementing the Tactical Plan. The audit was performed as part of a review\nby the President\xe2\x80\x99s Council on Integrity and Efficiency and the Executive Council on Integrity\nand Efficiency. The review also supports the OIG's Federal Information Security Management\nAct-related reporting requirements.\n\nThe FDIC\xe2\x80\x99s Information Security Strategic Plan needed improvement. Specifically, the FDIC\nhad not fully implemented the plan or adequately addressed its human capital needs. As a result\nof various FDIC security program initiatives and our ability to further evaluate the FDIC\xe2\x80\x99s\nprogress as part of our ongoing Federal Information Security Management Act audit, we did not\nmake recommendations related to the FDIC\xe2\x80\x99s implementation of the Tactical Plan.\n\nRecommendation\n\nWe did recommend that the Acting Director, Division of Information and Resources Management\n(DIRM), develop a human capital plan to identify and address any shortfalls in staff resources or\nskill mix for the information technology security program. The plan should address the need for\nrecruitment, training, and education of the security plan and be included in the Tactical Plan.\n\nManagement Response\n\nThe Acting Director, DIRM, adequately addressed the recommendation, which is considered\nresolved.\n\nThis report addresses issues associated with information security. Accordingly, we have not\nmade, nor do we intend to make, public release of the specific contents of the report.\n\x0c"